Sponsored by..

Monday, 11 November 2013

"To all Employees - Confidential Message" spam / To All Employees 2013.zip.exe

This fake "all employees" email comes with a malicious attachment:

Date:      Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From:      DocuSign Service [dse@docusign.net]
Subject:      To all Employees - Confidential Message

                                                                                         
                                                Your document has been completed         
                                                                                         
                                                                                         
                   Sent on behalf of administrator@victimdomain.                          
                                                                                         
                                                                                         
                          All parties have completed the envelope 'Please DocuSign this
document: To All Employees 2013.doc'.                        To view or print the
document download the attachment .                                                       
                                                                                         
                                                                                         
                                                                      (self-extracting
archive, Adobe PDF)                                                               This
document contains information confidential and proprietary to spamcop.net                
                                                                                         
     LEARN MORE:   New Features  |  Tips & Tricks  |  Video Tutorials                    
                                                                                         
                                                                                         
                                                                                         
             DocuSign. The fastest way to get a signature.                        If you
have questions regarding this notification or any     enclosed documents requiring your
signature, please contact the sender     directly. For technical assistance with the
signing process, you can email support.                        This message was sent to
you by administrator@victimdomain who is using the DocuSign Electronic Signature Service.
If you would rather not receive email from this sender you may contact the sender with
your request.
The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47.

Automated analysis [1] [2] shows a callback to trc-sd.com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP.

No comments: